If you use Safari, disable your autofill imediately.  Apple enables this by default.  We’ll wait.

(Uncheck all)

Websites can now steal your Safari browser autofill information including Name, Address, Email, Credit Card etc. without a mention using a very simple exploit detailled by Jeremiah Grossman.

These fields are AutoFill’ed using data from the users personal record in the local operating system address book. Again it is important to emphasize this feature works even though a user never entered this data on any website. Also this behavior should not be confused with normal auto-complete data a Web browser may remember after its typed into a form.

All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.

As shown in the proof-of-concept code (graciously hosted by Robert “RSnake” Hansen), the entire process takes mere seconds and represents a major breach in online privacy. This attack could be further leveraged in multistage attacks including email spam, (spear) phishing, stalking, and even blackmail if a user is de-anonymized while visiting objectionable online material.

If you want to see how it works, check out this page in Safari with your autofill on (note you could be giving up that informaton to that website and any others you go to with that on).

Very scary.  Even more scary?  This vulnerability has been known about for a year…and it could have been embedded into online advertising on an otherwise normal website.  Older versions of IE (6 and 7) are also susceptible according to the Register.

Grossman informed Apple about the exploit over a month ago but hasn’t received a response.

I figured Apple might appreciate a vulnerability disclosure prior to public discussion, which I did on June 17, 2010 complete with technical detail. A gleeful auto-response came shortly after, to which I replied asking if Apple was already aware of the issue. I received no response after that, human or robot. I have no idea when or if Apple plans to fix the issue, or even if they are aware, but thankfully Safari users only need to disable AutoFill web forms to protect themselves.

As this is now officially in the wild, either switch off autofill or switch to another browser until it is fixed.